GAO: Can DoD Keep Pace with Cyber Threats?

Among federal agencies, the Department of Defense arguably is among the best prepared to defend against cybersecurity threats, but the jury is out whether DoD can keep pace with the magnitude of dangers it faces from cyberspace.

Though America remains dominant on land, sea and air, technical and economic barriers to gain entry in cyberspace are much lower for adversaries, and as a result, place the United States' networks at great risk, GAO says in its 75-page report.

GAO says senior Defense leaders understand the severity of the challenge, and points out that DoD has taken important steps to better organize its cyber efforts, including the creation of the U.S Cyber Command (see Gates Describes Military Command's Role). "But it is too early to tell whether this will provide the necessary leadership and guidance DoD requires to address cybersecurity threats."

The Defense Department has much to protect, depending on 7 million computer devices, linked on over 10,000 networks with satellite gateways and commercial circuits that are composed of innumerable devices and components. And, that doesn't include computers, devices and networks operated by defense contractors that perform much work for the DoD.

Nearly two weeks ago, after the GAO report was written but before being made public, Deputy Defense Secretary William Lynn III revealed that hackers believed to be backed by another nation breached a defense contractor's computers and obtained 24,000 Pentagon files related to systems being developed for the Defense Department during a single intrusion in March, one of the worst digital attacks against the DoD. (see Hackers Breach Most Sensitive Military Systems).

But DoD faces more mundane challenges that could put its IT at risk. GAO cites DoD's numerous joint doctrine publications that discuss cyber-related topics that include content it deems incomplete or out of date. Discussions such as what constitutes a cyber force are not uniformly defined across DoD doctrine publications and guidance. GAO says DoD recognizes the need to develop and update cyber-related joint doctrine and is debating the merits of developing a single, overarching cyber joint doctrine publication in addition to updating all existing doctrine. Still, GAO says, DoD has yet to set a timetable for the completion of these efforts.

Another example of the deficit in existing doctrine is the lack of a common definition for what constitutes cyber personnel. GAO cites a U.S. Joint Forces Command report that found DoD employs 18 different cyber position titles across combatant commands to identify cyberspace forces. "This can cause confusion in planning for adequate types and numbers of personnel," the GAO says. "Because career paths and skill sets are scattered across various career identifiers ... there are cases in which the same cyber-related term may mean something different among the services."

In the report, GAO recommends that DoD establish a timeframe to decide whether to complete a separate joint cyberspace publication and for updating the existing body of joint publications; clarify command and control relationships regarding cyberspace operations and establish a timeframe for issuing the clarified guidance, and more fully assess cyber-specific capability gaps and develop a plan and funding strategy to address them. DoD concurred with the recommendations.

About the Author

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.